System and implementation method of controlled multicast

ABSTRACT

A system and method for implementing controlled multicast, wherein comprises Ethernet switch  1 , multicast router  2 , as well as portal server  3  and AAA server  4  that connect with the multicast router, where Ethernet switch  1  connects with each hosts of user in a downlink, in an uplink connects with multicast router  5  and implements multicast switch of layer  2 ; portal server  3  is used as an interface for access authentication of the user, AAA server  4  is used to store configuration of user privilege for joining in a multicast group; multicast router  2  connects with multicast router  5  of other systems in the uplink, and cooperates together with AAA server  4  to completes privilege authentication for the user when he joins in the multicast group, distributes a control command according to results of the authentication, and controls forwarding of the multicast made by Ethernet switch  1 . The method according to the present invention can resolve better the authenticated authorization and controlled problem of the sender and receiver joining in the multicast, and can identify the host joining in or leaving the multicast group expediently, actively stop the user&#39;s group member identification through offline without any influence on the forwarding efficiency.

FIELD OF THE TECHNOLOGY

The present invention relates generally to an IP multicast technique,and more particularly, to an IP controlled multicast system and thereofimplementation method in a telecommunication technological field.

BACKGROUND OF THE INVENTION

Along with maturation of the IP multicast technique, application of theIP multicast is becoming increasingly widespread. However, in an Pmodel, any host can join into any of the multicast groups withoutlimitation, and until now, there are no effective methods that can solvethe controlled join problem of a host in an IP multicast network.

It is well known that, in the IP multicast model, a multicast groupcomprises senders and receivers, which are connected with a multicastDistribution Tree. When the sender needs to send data to a certaingroup, the host will transmit the data directly to the multicast routerwhich connects with the host, and the multicast router then forwards thedata to the multicast receiver via the multicast Distribution Treewithout any limitation on the host that sends messages. As soon as ahost wants to get data from a certain multicast group, the host sends aMember report message to its connected multicast router according to anInternet Group Management Protocol (IGMP for short), and the multicastrouter will then forward the data of the multicast group to the hostafter the Member report message is processed; similarly, the multicastrouter will not make any limitations on the host which wants to obtainthe multicast message. With the development of commercialization in IPmulticast application, multicast security has become an urgent problemthat should be solved as soon as possible, a key of which is prohibitingunauthorized receivers to receive the multicast messages.

Norihiro Ishikawa et al proposed an IGMP extension protocol “IGMPExtension for Authentication of IP Multicast” (published atdraft-ietf-idmr-igmp-auth-01.txt) and a RADIUS extension protocol.“RADIUS Extension for Multicast Router Authentication”, (where, theRADIUS is abbreviation of Remote Authentication Dial In User Service,which is published at draft-yamanouchi-RADIUS-ext-00.txt), with whichauthentication for the sender and the receiver can be made.

The IGMP extension protocol above is extension made based on an IGMP V2(version 2), in which authentication function for the multicast senderand the multicast receiver is added, to prevent unauthorized users fromsending/receiving multicast packets. The IGMP extension protocol adoptsa Challenge-Response mechanism that is similar with a PPP authenticationprotocol CHAP (Challenge Handshake Authentication Protocol) such asthrice handshakes, encrypted password to make user authentication. Oncea multicast sender begins to transmit IP multicast messages, an Ingressrouter may make authentication for it with the challenge-responsemechanism. The Ingress router may utilize a RADIUS as an authenticationserver during the authentication process. When the authentication issuccessful, the multicast packets from the sender will be forwarded bythe Ingress router to the IP multicast network and then to an Egressrouter. When the authentication is failed, the Ingress router willdiscard the multicast packets silently. Authentication made by theEgress router is needed when the multicast receiver wants to receive IPmulticast messages. The Egress router may also adopt the RADIUS as theauthentication server during the authentication process. Once theauthentication succeeds, the Egress router begins to transmit the IPmulticast packets to the receiver; Otherwise, no IP packets will beforwarded to the receiver.

The RADIUS extension protocol above is extension made in the basis ofthe RADIUS, which may make authentication for the multicast sender andthe multicast receiver at the Ingress router and the Egress router, andtrack multicast data of the user to provide data for service management.The authentication server must be able to provide the authenticationservice required by the multicast router, meanwhile, the multicastrouter might provide identification (User ID) and password of the user.In order to insure security, authentication process must be based on thechallenge, and every service must be authenticated, for instance,authentication must be made on the address of each multicast group. Thereason is that multicast packets are transmitted according to the groupaddress, and the authority of the user should be correlative with thegroup. Except for some additional attributes, other requirements arejust the same with that of the RADIUS. Whether or not the multicastrouter makes RADIUS authentication is optional.

When being configured to support RADIUS charging, the multicast routerwill generate a charging start message at the beginning of the multicastservice, and send to a RADIUS multicast charging server, wherein themessage describes type of the service. After receiving the chargingstart message, the RADIUS multicast charging server will return aconfirmation message. When the multicast service is completed, themulticast router also generates a charging end message, and sends themessage to the RADIUS multicast charging server. After receiving themessage, the RADIUS multicast charging server will also return aconfirmation message, wherein the charging end message describes type ofthe service.

After receiving an IGMP Join request, the multicast router sends anAccess-Request message to a RADIUS multicast authentication server toask for authentication. After receiving a response from the RADIUSmulticast authentication server that indicates the authentication issuccessful, the multicast router sends an Account-Request/Start messageto the RADIUS multicast charging server to start charging. Whilereceiving an IGMP Leave request, the multicast router may send anAccount-Request/Stop message to the multicast charging server toterminate the charging. If no response is returned to the multicastrouter within certain period of time, the RADIUS extension protocoladvices the multicast router to resend the Access-Request messageseveral times continuously. The multicast charging server can also askother servers (such as a proxy sever) to implement the chargingfunction. While being unable to record charging message successfully,the multicast charging server cannot send an Accounting-Responseconfirmation message to the multicast router.

Moreover, a mean of a forwarding table of a layer 2 equipment controlledby a layer 3 equipment, which can control authorized reception in acertain extent, has been provided. As shown in FIG. 1, controllingmessage used for controlling the forwarding table of a layer 2 equipmentis composed by number of edition (Ver, 4 bits), Type (3 bits), Reservedpart (2 bytes), number of GDA/USA pairs in the message (Count, 1 byte)and several GDA/USA pairs. Wherein, the GDA (Group Destination Address)is a MAC multicast address that corresponds to an IP address of themulticast group that the host wants to join in; the USA (Unicast SourceAddress) is a MAC address of the host which wants to join in the multicast group and is a unicast address.

As shown in FIG. 2, process of the mean of forwarding table of a layer 2equipment controlled by a layer 3 equipment is as follows. Host 1 sendsan IGMP Membership Report message to join in multicast group 224.1.2.3;the switch uses MAC address 0100.5e01.0203 that corresponds to theaddress of multicast group resoluted from the message to search itsmatching terms in a CAM (CAM: Content-Addressable Memory) table; becausethere is no its matching terms in the CAM table, the message isforwarded (flooding) to all the ports, including a CPU and multicastrouters. Wherein, after receiving the IGMP Membership Report message,the multicast router, besides implementing routine disposal, produces ajoin message and multicasts to the switch, which comprises the MACaddress (USA: 0080.c7a2.1093) of the host which applies to join in themulticast group, the MAC address (GDA: 0100.5e01.0203) of the multicastgroup which is applied to join in, as well as a Join command field.After receiving the Join message, the switch may add an entry in the CAMtable, which includes the GDA (0100.5e01.0203 in the drawings), the portnumber (marked as 2 in the drawings) of the host which wants to join inthe multicast group, and the port number (marked as 1 in the drawings)of the multicast router that connects with the switch. Wherein, the portnumber of the host is obtained through searching the USA.

As shown in FIG. 3, when the fourth host 4 joins in multicast group224.1.2.3, it will similarly send the IGMP Membership Report message tothe switch; after having resoluted the IP address of the destinationgroup is 224.1.2.3, the switch may find the entry after searching in theCAM table with the corresponding MAC address 0100.5e01.0203 of the IPaddress, and forward the message to port 1 and 2 (which are themulticast router and host 1 respectively) listed in the entry. Afterreceiving the IGMP Membership Report message, besides making routinedisposal, the multicast router produces a Join message and multicasts tothe switch, which comprises the MAC address of the host which applies tojoin in the multicast group (USA: 0800.c7b3.2174) and the MAC address(GDA: 0100.5e01.0203) of the multicast group which is applied to joinin, as well as the Join command field. After receiving the Join message,the switch may obtain an entry through searching in the CAM table withGDA, and get port number 5 of host 4 via searching in the CAM table withUSA, meanwhile add port number 5 in the entry.

Although the Synergic extension method between the IGMP and the RADIUSabove has solved the authorization problems for the sender and thereceiver, some shortcomings still exist.

(1) Once a host join in the multicast group successfully in a sharednetwork, all the other hosts will be able to receive the multicast data,which means, it is impossible to prevent the unauthorized hosts fromreceiving the multicast data. If a key method is adopted to solve theproblem, distribution of keys before authentication for each host willbring numerous limitations and troubles.

(2) If both these two protocols are adopted, it is necessary not only torenew the multicast router equipment, but also to modify IGMP softwarein the host side. Furthermore, none of these two protocols isstandardized; the present hosts don't support the IGMP extension.

Defects of the mean of a forwarding table of a layer 2 equipmentcontrolled by a layer 3 equipment can be notices as follows.

(1) No relation between forwarding control on the layer 2 switchcontrolled by the multicast router and authorized reception of thehost/user is provided, and no authenticating and authorizing method forthe user to join in the multicast group is provided either, all thecontrol methods provided are a control method for the multicast messageof the layer 2 switch flooding at its port.

(2) The multicast router cannot detect “Silent Leave” of the host/user.

SUMMARY OF THE INVENTION

It is an object to provide a controled multicast system, in order toprovide application environment for a controlled multicast method of theinvention.

It is another object to provide the method for implementing controlledmulticast, in order to solve multicast disadvantages of the prior arts,which include synergic method between the IGMP extension and the RADIUSextension, and the mean of a forwarding table of a layer 2 equipmentcontrolled by a layer 3 equipment; at the same time, the method canpreferably solve problems of authorization authentication and controlledjoin of the sender and receiver which participate in the multicast.

A controlled multicast system, including an Ethernet switch and amulticast router, wherein, the Ethernet switch connects with each hostof a user in a downlink, connects with the multicast router in a uplink,the multicast router connects with a multicast router of other systemsin the uplink, the Ethernet switch implementing multicast exchange of alayer 2, an IGMP V2 protocol is adopted as group management protocolbetween the Ethernet switch and the host of the user; the controlledmulticast system further comprises: a portal server and an AAA serverthat connect with the multicast router; the portal server acting as aninterface of user access authentication, the AAA server being used forstoring configuration of privilege for the user to join in a multicastgroup; the multicast router cooperating with the AAA server together toimplement privilege authentication for the user to join in the multicastgroup, and distributing control commands according to results of theauthentication to control multicast forwarding operations of theEthernet switch.

A RADIUS+ protocol extended from an AAA protocol is adopted ascommunication protocol between the multicast router and the AAA server;a group management protocol HGMP (Huawei Group Management Protocol) isused as a control protocol between the Ethernet switch and the multicastrouter.

A method for implementing a controlled multicast, comprises:implementing access authentication first; then an Ethernet switchclassifying a vlan according to a port and handling an IGMP message froma host, implementing user identification, authentication for joining ina multicast group, and a multicast router handling the IGMP message; insuccession, the multicast router controlling the Ethernet switch formulticast forwarding, between which a HGMP protocol is used as a controlprotocol of the controlled multicast; after that, the Ethernet switchdisposing a HGMP control message and forwarding a multicast flow; thehost leaving the multicast group and making corresponding processesafter finishing the forwarding operation.

wherein the step of implementing access authentication comprises,

(1) when accessing a network, the host inputting an authenticationinformation that includes a User ID and a password first through aninterface provided by a portal server, and a AAA server authenticatingidentification of the host with the information; once the authenticationis successful, the multicast router recording the User ID and acorresponding vlan ID of the host in a multicast access privilege tableof the user;

the step of the Ethernet switch classifying the vlan according to theport and handling the IGMP message from the host comprises,

(2) classifying the vlan according to the ports, with one vlan for eachport, and linking one port to one host; searching a Content-AddressableMemory (CAM) table with a destination MAC address of the IGMP messagesent by the host and forwarding the said IGMP message, of whichforwarding process is same with that of a unicast message: if the portcorresponding to the destination MAC address is found, forwarding themulticast message to the port, otherwise forwarding the multicastmessage to all the ports;

the step of implementing user identification, authentication for joiningin the multicast group, and handling the IGMP message by the multicastrouter comprises,

(3) after receiving an IGMP Membership Report message, according to thevlan ID in the message, the multicast router finding the correspondingUser ID and the host to which the IGMP Membership Report message belongsthrough searching in the multicast access privilege table of the userrecorded in step (1), and then sending an extended RADIUS authenticationmessage which includes the User ID just found as the user name and theaddress of multicast group in which the host wants to join as anattribute, to the AAA server for authentication;

the AAA server determining whether to accept the user based on servicesof the user; if the user has the suitable privilege, responding with anacceptance message, otherwise returning a reject message; afterreceiving the reject message, the multicast router do nothing, but ifreceiving the acceptance message, the multicast router writing theaddress of the multicast group in which the user can join into themulticast access privilege table of the user, and implementing a routinedisposal on join messages of the host, then generating and transmittinga HGMP Join message to the Ethernet switch, which comprises the vlan IDcorresponding to the port that links with the host which wants to joinin the multicast group, the address of the multicast group that isapplied for, and a Join command field; moreover, the multicast routeralso completing a routine processing of creating multicast forwardingtree on the IGMP Membership Report message just like an ordinarymulticast router does;

the step of the multicast router controlling the Ethernet switch makingthe multicast forwarding with the HGMP protocol being control protocolof the controlled multicast comprises,

(4) managing generation and deletion of an entry in the CAM table at theEthernet switch by the multicast router; while allowing the host to joinin the multicast group, the multicast router sending the HGMP Joinmessage that includes the vlan ID of the host which applies to join inthe multicast group and the address of the multicast group applied forto the Ethernet switch; when the multicast router wants to terminate thehost joining in the multicast group, the multicast router transmitting aHGMP Leave message which comprises the vlan ID of the host which leavesthe multicast group and the address of the multicast group where thehost leaves;

the step of the Ethernet switch disposing the HGMP control messagecomprises,

(5) after receiving the HGMP Join message, the Ethernet switch searchingthe CAM table with the MAC address corresponding to the address of themulticast group; if the entry corresponding with the address is found,the Ethernet switch obtaining the port number of the host via the vlanID in the HGMP Join message, and then adding the port number into thesaid entry; if nothing is found, adding an entry in the CAM table, whichcomprises the MAC address corresponding to the multicast address, theport number of the host which applies to join in the multicast group,and the port number of the multicast router connected with the Ethernetswitch;

after receiving the HGMP Leave message, the Ethernet switch obtainingthe entry through looking up the CAM table with the MAC addresscorresponding to the multicast address of the multicast group, andgetting the port number of the host through the vlan ID, and thendeleting the said port number from the said entry, if the said portnumber is the solely port of the said entry, deleting the whole entry;

the step of forwarding of the multicast flow comprises,

(6) when receiving the multicast flow sent from the multicast source,the multicast router forwarding the multicast flow to an egress based ona CAM table; when handling the IGMP Membership Report message of thehost, the multicast router creating a multicast forwarding egressaccording to the real port of the Ethernet switch, and sending only onecopy of the multicast flow to the Ethernet switch;

the step of the host leaving the multicast group comprises,

(7) after finishing the multicast and wanting to leave the multicastgroup, the host sending an IGMP Leave message; after receiving the IGMPLeave message, the multicast router extracting the vlan ID from themessage, and obtaining corresponding entry via searching in themulticast access privilege table created in step (1) with the vlan ID,then deleting the address of the multicast group indicated by the IGMPLeave message in the entry; after completing a routine disposal on leavemessages, the multicast router generating the HGMP Leave message andsending to the Ethernet switch, which includes the vlan ID of the hostwhich wants to leave group, the address of multicast group where thehost wants to leave and a Leave command field.

wherein the CAM table and the unicast forwarding table of the Ethernetswitch are shared.

wherein, during the messages forwarding, adopting a vlan protocolbetween the port of the multicast router and the Ethernet switch.

in step (6) there is no vlan ID in a multicast data packet of themulticast flow sent from the multicast router.

in step (7) of leaving from the multicast group can also be implementedvia following means which comprises, once the multicast router knowsoffline status of the user, the multicast router actively sending theHGMP Leave message to terminate multicast flow transmission to the host,which is same with that of processing on the IGMP Leave message.

The method further comprises controlling the multicast sender, whichincludes when the host transmits data to the multicast group, the firstreceiver among the multicast routers filtering the data message with amulticast Access Control List (ACL), and forwarding the data messagethat satisfies the requirements in the ACL to the multicast tree.

wherein the multicast ACL comprises a command word, a source address anda group address.

wherein the multicast ACL is distributed to each multicast router by acentralized multicast service control server; the step of controllingthe sender is accomplished with the multicast ACL by the multicastrouter, meanwhile the multicast service control server is also acts asthe AAA server.

wherein the multicast ACL can also be distributed by a centralizedpolicy server or a network manager.

The main advantages of the present invention are as following. Themethod provides an effective technical means for authenticatedauthorization when the user join in the multicast group, in order toensure that only the authorized user can join in the multicast group;through one-to-one relationship among the port, the user and the vlanID, together with access authentication for the user, the user who joinsin or leaves the multicast group can be easily identified. The multicastrouter can make the active and decisive control on the multicastforwarding function of the layer 2 switch, and distribute its controlpolicy to the Ethernet switch, which can preferably solve the controlledproblems in the IP multicast service. Secondly, when the host leaves themulticast group without sending the IGMP Leave message, for instance,when multicast application program terminates abnormally, the groupmembership can be actively terminated through offline of the user. Whatis more, there is no influence on forwarding efficiency afterintroduction of the control means according to the present invention.The method in the present invention has a splendid application future.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic diagram of the controlling message format in theprior art.

FIG. 2 is a schematic diagram illustrating flow direction of the signalthat host 1 first joins in multicast group 224.1.2.3 in process of themean of a forwarding table of a layer 2 equipment controlled by a layer3 equipment in the prior art.

FIG. 3 is a schematic diagram illustrating flow direction of the signalthat host 4 second joins in multicast group 224.1.2.3 in process of themean of a forwarding table of a layer 2 equipment controlled by a layer3 equipment in the prior art.

FIG. 4 is a schematic diagram illustrating the system structure of thecontrolled multicast system according to the present invention.

FIG. 5 is a schematic diagram illustrating flow direction of the signalwhile making access authentication for host 1 in the controlledmulticast according to the present invention.

FIG. 6 is a schematic diagram illustrating flow direction of the signalthat host 1 first joins in multicast group 224.1.2.3 in the controlledmulticast according to the present invention.

FIG. 7 is a schematic diagram illustrating flow direction of the signalthat host 4 second joins in multicast group 224.1.2.3 in the controlledmulticast according to the present invention.

FIG. 8 is a schematic diagram illustrating flow direction of the signalwith which the multicast router forwards the multicast flow in thecontrolled multicast according to the present invention.

FIG. 9 is a schematic diagram illustrating flow direction of the signalthat indicates host 1 leaves multicast group 224.1.2.3 in the controlledmulticast according to the present invention.

FIG. 10 is a schematic diagram illustrating the centralized controlscheme in the controlled multicast system according to the presentinvention.

EMBODIMENTS OF THE INVENTION

The present invention will be described in more detail hereinafter withreference to the accompanying drawings.

Now refer to FIG. 4. The invention provides the controlled multicastsystem that includes Ethernet switch 1 and multicast router 2, whereinEthernet switch 1 connects with each hosts of the user in the downlink,and in the uplink with multicast router 2 which further connects withmulticast router 5 of other systems; the IGMP V2 (version 2) protocol isused as group management protocol between the host and the Ethernetswitch who implements multicast exchange of layer 2. The controlledmulticast system further comprises: portal server 3 and AAA server 4that connect with multicast router 2, wherein, portal server 3 is usedas the interface of access authentication for the users, AAA server 4 isused for storing Privilege configuration of the users who want to joinin the multicast group, a Client-server structure is adopted between AAAserver 4 and multicast router 2, and the multicast router 2, togetherwith AAA server 4, makes authentication for the privilege of users whowant to join in the multicast group, and distributes control ordersaccording to results of the authentication, in order to controlforwarding operation of the multicast made by Ethernet switch 1. In theinvention, the RADIUS+ protocol that is extended from the standardRADIUS protocol is adopted as communication protocol between multicastrouter 2 and AAA server 4, meanwhile, the group management protocol.HGMP is used as control protocol between Ethernet switch 1 and multicastrouter 2.

The implementing method and operational steps of the complete processfor the host joining in the multicast group according to the presentinvention will be described in more detail hereinafter with reference tothe accompanying drawings from FIG. 5 to FIG. 10 and an embodiment.

As shown in FIG. 5, when a certain host (supposing host 1) wants toaccess the network, first the host must make authentication through theinterface provided by the portal server; the AAA server is anauthentication server. The User ID in the pane at right side of the AAAserver in the drawing represents the user name input by the user whilemaking authentication, and group represents address of the multicastgroup in which the user wants to join. The Ethernet switch (LAN Switch)classifies the vlan according to the ports, each of which connects withone user. Wherein port 1 links the multicast router, and the ports from2 to 5 connect each host from 1 to 4 respectively. Once theauthentication is successful, the multicast router will record the UserID of host 1 (i.e. host 1) and the corresponding vlan number (i.e. vlan1) of host 1 (here, assume the user name in a user account of host 1 ishost 1).

As shown in FIG. 6, when host 1 wants to join in the multicast group(assuming the group 224.1.2.3), the host may send the IGMP MembershipReport message to join in multicast group 224.1.2.3; the SwitchingEngine searches in the CAM table with the destination MAC address0100.5e01.0203 in the message; because there is no matching terms in theCAM table, the message is forwarded (flooding) to all the ports,including the CPU and the multicast router; wherein, according toreceiving ports, the message that is forwarded to the multicast routerwill be attached with the vlan number (in case of host 1, it is vlan1).

After receiving the IGMP Membership Report message, the multicast routerextracts the vlan ID (vlan 1) from the message, with which obtaining theUser ID (host 1) corresponding to the user; the multicast routerappoints the found User ID as the user name, making the address(224.1.2.3) of multicast group in which the host wants to join as itsattribute, sending the extended RADIUS authentication message to the AAAserver for authentication; the AAA server determines whether to acceptthe user according to the service that he applied for. If the user has acertain privilege, the multicast router may response with the acceptancemessage, otherwise send the reject message as response. In case ofreceiving the reject message, the multicast router will do nothing; oncethe received message is the acceptance message, the multicast routerwill record the address of the multicast group where the user can joininto the multicast access privilege table of the user, and make theroutine process of the multicast router on the message, then generateand transmit the HGMP Join message to the switch, which comprises thevlan number (vlan 1) of the host which applies to join in the multicastgroup, the address (224.1.2.3) of the multicast group in which the hostapplies to join, and the Join command field.

After receiving the HGMP Join message, the switch will add an entry inthe CAM table, which comprises the MAC address (0100.5e01.0203) that iscorresponding to the multicast address (224.1.2.3), port number (2) ofthe host which applies to join in the multicast group and port number(1) of the multicast router that connects with the switch. Wherein, theport number of the host is obtained through searching in a table withthe vlan ID.

Now refer to FIG. 7. When other new host (assume the fourth host 4)joins multicast group 224.1.2.3 (assume the host has already passed theaccess authentication in the same way with that of host 1 in the firststep), and also sends the IGMP Membership Report message to the switch,the Switching Engine finds the entry via searching in the CAM table withthe destination MAC address 0100.5e01.0203, and then sends the messageto port 1 and 2 (i.e. the multicast router and host 1) listed in theentry.

After receiving the IGMP Membership Report message, the multicast routerextracts the vlan ID (vlan 4) from the message, with which the multicastrouter finds the User ID (host 4) corresponding to the user throughsearching in the multicast access privilege table, and then appointingthe User ID as the user name, the address (224.1.2.3) of the multicastgroup where the host wants to join as its attribute, finally transmitsthe extended RADIUS authentication message to the AAA server forauthentication; the AAA server will determine whether to accept the useraccording to the service he applied for. If the user has a certainprivilege, the multicast router may response with the acceptancemessage, otherwise send the reject message as response. In case ofreceiving the reject message, the multicast router will do nothing; oncethe received message is the acceptance message, the multicast routerwill write the address of the multicast group in which the user can joininto the multicast access privilege table of the user, and make routineprocess of the multicast router on the join message of the host, thengenerate and transmit the HGMP Join message to the switch, whichincludes the vlan number (vlan 4) of the host which applies to join inthe multicast group, the address (224.1.2.3) of the multicast group inwhich the host applies to join, and the Join command field.

After receiving the HGMP Join message, the switch will search in the CAMtable with the MAC address (0100.5e01.0203) that corresponding to theaddress (224.1.2.3) of the multicast group; because there exits theentry in the CAM table after host 1 have joined the group 224.1.2.3 inthe above step as shown in FIG. 6, the same entry that is identical withthe result of last search will be obtained; the port number of the host(5) will be added in the entry after the port number 5 is obtainedthrough searching in the CAM table with the vlan ID.

As shown in FIG. 8, when the multicast router receives the multicastflow sent from the multicast source, the multicast flow will beforwarded to the egress according to the CAM table. Because themulticast router creates the multicast forwarding egress based on thereal ports of the switch rather than the vlan number when handling theIGMP Membership Report message of the host, the switch connected withthe multicast router has only one egress in the CAM table, and only onecopy of the multicast flow is transmitted to the switch, without thevlan ID in the multicast data packet.

As shown in FIG. 9, once wanting to leave multicast group 224.1.2.3,host 1 may send the IGMP Leave message to the switch; in the FIG. 9,what corresponds to the IGMP Leave message sent by host 1 is the arrowdrawn from host 1, and the Switching Engine searches in the CAM tablewith destination MAC address 0100.5e01.0203; after finding the entry,the Switching Engine will transmit the message to the ports listed inthe entry: 1 and 5 (i.e. the multicast router and host 4).

After receiving the IGMP Leave message of the member, the multicastrouter extracts the vlan ID (vlan 1) from the message, and obtains thecorresponding entry through searching in the multicast access privilegetable with the vlan ID, then delets multicast address 224.1.2.3indicated by the IGMP Leave message in the entry as shown in FIG. 9;i.e. after deleting address 224.1.2.3 in the multicast group column(group) in the pane at right side of the multicast router, where theuser who corresponds to vlan 1 has right to join in, the multicastrouter completes the routine disposals on the leave message of themember; then generates and sends the HGMP Leave message to the switch;in the FIG. 9, what corresponds to the HGMP Leave message is thedownwards arrow drawn from the multicast router, the message comprisesthe vlan number of the host (vlan 1) which wants to leave the multicastgroup and the multicast address (224.1.2.3) that will be departed aswell as the Leave command field.

After receiving the HGMP Leave message, the switch may obtain the entrythrough searching in the CAM table with MAC address 0100.5e01.0203 thatcorresponds to multicast address 224.1.2.3, and get port number 2 of thehost which sends the IGMP Leave message through searching with the vlanID, and delete the port number 2 from the entry.

The steps above describe the detailed control processes on the multicastmembers of the controlled multicast method according to the presentinvention, moreover, the above method also comprises relevant control onthe multicast sender as shown in FIG. 10. When the host (which ismessage resources (IDC) in FIG. 10) transmits data to a certainmulticast group, the multicast router which receives the data in firstplace will download the multicast ACL (Access Control List, ACL forshort) first via the multicast service control server, and filter thedata message with the multicast ACL, only the messages that satisfy therequirements can be forwarded to the Multicast Tree. Wherein, themulticast ACL is composed of the command word, the source address andthe group address which is a destination address either. In order toavoid disadvantages caused by the discrete configuration, thecentralized multicast service control server is usually adopted todistribute the multicast ACL to each multicast router which furthercontrols the functions of senders; at same time, the multicast servicecontrol server also acts as the AAA server, of course, the multicast ACLcan also be distributed by the centralized policy server or the networkmanager.

The above system and method for implementing controlled multicast havebeen experimented in several apparatus designed by the applicant, theresults are very successful, and the destination of control over themulticast is realized according to the present invention.

1. A controlled multicast system, comprising: an Ethernet switch; amulticast router, wherein: the Ethernet switch connects with each of aplurality of hosts in a downlink, and connects with the multicast routerin an uplink, the multicast router connects with a multicast router ofother systems in the uplink, the Ethernet switch implementing multicastexchange of a layer 2, and an IGMP V2 protocol is adopted as groupmanagement protocol between the Ethernet switch and the host; whereinthe controlled multicast system further comprises: a portal server,connecting with the multicast router and providing an interface of useraccess authentication; an authentication sewer, storing configuration ofprivilege for the host which wants to join in the multicast group;wherein: the multicast router and the authentication server areconfigured to adopt a Client-sewer structure by which the authenticationserver authenticates identification of the host to join in a multicastgroup with information inputted through the interface provided by theportal sewer, and the multicast router records a User ID and a vlan IDcorresponding to the User ID of the authenticated host and thendistributes control commands according to results of the authenticationto control multicast forwarding operations of the Ethernet switch;configuration of privilege comprises a corresponding relation betweenthe User ID of the host and a address of multicast group in which thehost wants to join; the information inputted through the interfaceprovided by the portal server comprises the User ID and a password; eachport through which the host is connected to the Ethernet switch is avlan port; wherein the authentication sewer in the system further for,after receiving an extended RADIUS authentication message from themulticast router, of which attributes include the User ID as the username and the address of multicast group in which the host wants to join,detecting whether to accept the host joining in the multicast groupbased on the configuration of privilege; responding with an acceptancemessage to the multicast router if the host has suitable privilege,otherwise returning a reject message; wherein the multicast router inthe system further for, after receiving an IGMP Membership Reportmessage from the Ethernet switch, according to the vlan ID in themessage, searching the corresponding User ID in a multicast accessprivilege table of the multicast router, and then sending the saidextended RADIUS authentication message, to the authentication server;after receiving the acceptance message from the authentication server,writing the address of the multicast group in which the host can joininto the said multicast access privilege table, and implementing aroutine disposal on join messages of the host, then generating a Joinmessage, which comprises the vlan ID corresponding to the port thatlinks with the host which wants to join in the multicast group, theaddress of the multicast group that is applied for, and a Join commandfield, and then transmitting to the Ethernet switch moreover, completinga routine processing of creating multicast forwarding tree on the IGMPMembership Report message; doing nothing after receiving the rejectmessage; the Ethernet switch for, forwarding the IGMP Membership Reportmessage from the host, wherein the IGMP Membership Report messageforwarded to the multicast router port carries with the vlan ID of thehost; after receiving the Join message from the multicast router,searching the MAC address corresponding to the address of the multicastgroup in the forwarding table; if the entry corresponding with the MACaddress is found, obtaining the port number of the host via searching inthe forwarding table with the vlan ID in the Join message, and thenadding the port number into the said entry; if nothing is found, addingan entry in the forwarding table, which comprises the MAC addresscorresponding to the multicast address, the port number of the hostwhich applies to join in the multicast group, and the port number of themulticast router connected with the Ethernet switch; after receiving amulticast flow from the multicast router, forwarding it to ports of theEthernet switch with the current forwarding table.
 2. The controlledmulticast system according to claim 1, wherein a RADIUS+ protocolextended from a RADIUS (Remote Authentication Dial In User Service)protocol is adopted as communication protocol between the multicastrouter and the authentication server.
 3. The controlled multicast systemaccording to claim 1, wherein the authentication server is an AAA(Authorization And Authentication) server.
 4. The controlled multicastsystem according to claim 1, wherein: the multicast router in the systemis further configured for: after receiving an IGMP Leave message:extracting the vlan ID from the message, and obtaining correspondingentry in the multicast access privilege table via searching with thevlan ID, then deleting the address of the multicast group indicated bythe IGMP Leave message in the entry; after completing a routine disposalon leave messages of the host, generating a Leave message and sending tothe Ethernet switch, which includes the vlan ID of the host which wantsto leave the multicast group, the address of multicast group where thehost wants to leave and a Leave command field; and the Ethernet switchfurther configured for: after receiving the Leave message from themulticast router, obtaining the entry through looking up the forwardingtable with the MAC address corresponding to the multicast address of themulticast group, and getting the port number of the host with the vlanID in the Leave message, and then deleting the said port number from thesaid entry.
 5. The controlled multicast system according to claim 1,wherein the multicast router in the system is further configured for:after knowing offline status of the host, actively generating the Leavemessage and sending to the Ethernet switch; and terminating themulticast flow transmission.
 6. A method for implementing a controlledmulticast, comprising: A. in advance, according to ports of an Ethernetswitch, classifying vlan with one vlan for each port, and linking oneport to one host; making access authentication for a host which wants tojoin in a multicast group, if the authentication is successful,executing step B, otherwise ending; B. forwarding an IGMP MembershipReport message from the host by the Ethernet switch; C. detectingwhether to accept the host joining in the multicast group, if it is,generating a Join message to control establishing of an entry in aforwarding table of the Ethernet switch by a multicast router, andforwarding a multicast flow from the multicast router according to thecurrent forwarding table by the Ethernet switch; otherwise ending;wherein step A, the said step of making access authentication for a hostwhich wants to join in the multicast group comprises, in advance,storing configuration of privilege for hosts which want to join in themulticast group in an authentication server that connects with themulticast router, wherein the configuration of privilege includes acorresponding relation between a User ID of the host and a address ofmulticast group in which the host wants to join; inputting informationincluding the User ID and a password through an interface provided by aportal server, and authenticating identification of the host with theinformation by the authentication server; recording the User ID of thehost and a corresponding vlan ID of the host in a multicast accessprivilege table by the multicast router after the authentication issuccessful; wherein the step B further comprises, if the portcorresponding to the destination MAC address in the IGMP MembershipReport message is found in the forwarding table, forwarding to the foundport, otherwise forwarding to all the ports; wherein the IGMP MembershipReport message forwarded to the multicast router port carries with vlanID of the host; wherein the step C further comprises, C1. aftermulticast router receives the IGMP Membership Report message, searchingthe User ID of the host in the multicast access privilege table based onthe vlan ID in the IGMP Membership Report message; then sending anextended RADIUS authentication message which includes the User ID justfound as the user name and the address of multicast group in which thehost wants to join as the attribute, to the authentication server;detecting whether to accept the host joining in the multicast group bythe authentication server according to the configuration of privilege;if the host has suitable privilege, responding with an acceptancemessage to the multicast router by the authentication server, and thenexecuting step C2, otherwise returning a reject message; the multicastrouter does nothing and ends after receiving the reject message; C2.after the multicast router receives the acceptance message, writing theaddress of the multicast group in which the host can join into the saidmulticast access privilege table, and implementing a routine disposal onjoin messages of the host, then generating a Join message, whichcomprises the vlan ID corresponding to the port that links with the hostwhich wants to join in the multicast group, the address of the multicastgroup that is applied for, and a Join command field, and thentransmitting to the Ethernet switch; moreover, completing a routineprocessing of creating multicast forwarding tree on the IGMP MembershipReport message; C3. searching the MAC address corresponding to theaddress of the multicast group in the forwarding table by the Ethernetswitch; if the entry corresponding with the MAC address is found,obtaining the port number of the host via the vlan ID in the Joinmessage, and then adding the port number into the said entry; if nothingis found, adding an entry in the forwarding table, which comprises theMAC address corresponding to the multicast address, the port number ofthe host which applies to join in the multicast group, and the portnumber of the multicast router connected with the Ethernet switch; C4.sending only one copy of the multicast flow to the Ethernet switch bythe multicast router.
 7. The method for implementing a controlledmulticast according to claim 6, for the host which wants to leave themulticast group, the method further comprising: forwarding an IGMP Leavemessage from the host by the Ethernet switch; and generating a Leavemessage to control deleting the entry of the host in the forwardingtable after the multicast router receives the IGMP Leave message.
 8. Themethod for implementing a controlled multicast according to claim 6,further comprising: actively generating the Leave message to controldeleting the entry of the host in the forwarding table by the multicastrouter once knowing offline status of the host; and terminating themulticast flow transmission.
 9. The method for implementing a controlledmulticast according to claim 7, wherein: the step of forwarding an IGMPLeave message from the host further comprises forwarding the IGMP Leavemessage from the host based on the current forwarding table; the IGMPLeave message forwarded to the multicast router carries with the vlan IDof the host; the step of generating a Leave message to control deletingthe entry of the host in the forwarding table further comprises: afterthe multicast router receives the IGMP Leave message, extracting thevlan ID from the message, and obtaining corresponding entry viasearching in the multicast access privilege table with the vlan ID, thendeleting the address of the multicast group indicated by the IGMP Leavemessage in the entry of the multicast access privilege table; completinga routine disposal on leave messages of the host, and then generating aLeave message and sending to the Ethernet switch, which includes thevlan ID of the host which wants to leave group, the address of multicastgroup where the host wants to leave and a Leave command field; and afterthe Ethernet switch receives the Leave message, obtaining the entrythrough looking up the forwarding table with the MAC addresscorresponding to the multicast address of the multicast group, andgetting the port number of the host with the vlan ID in the Leavemessage, and then deleting the said port number from the said entry. 10.The method for implementing a controlled multicast according to claim 9,the step of generating a Leave message to control deleting the entry ofthe host in the forwarding table further comprises: if the deleted portis the solely port of the said entry in the forwarding table, furtherdeleting the whole entry.
 11. The method for implementing a controlledmulticast according to claim 6, further comprising: during the messagesforwarding, adopting a vlan protocol between the multicast router portand the Ethernet switch.
 12. The method for implementing a controlledmulticast according to claim 6, the method further comprises: filteringdata messages send by a multicast sender with a multicast Access ControlList (ACL) through the first receiver among the multicast routers: andforwarding the data messages that satisfy the requirements in the ACL tothe multicast tree.
 13. The method for implementing a controlledmulticast according to claim 12, wherein the multicast ACL comprises acommand word, a source address and a group address.
 14. The method forimplementing a controlled multicast according to claim 12, wherein: themulticast ACL is distributed to each multicast router by a centralizedmulticast service control server; and the multicast service controlserver acts as the authentication server.
 15. The method forimplementing a controlled multicast according to claim 12, wherein themulticast ACL can also be distributed by a centralized policy server ora network manager.